Source: OJ L 2024/2847, 20.11.2024

Current language: EN

Article 28 EU declaration of conformity

Summary What does Article 28 of the CRA regulation say?

This article governs the EU declaration of conformity that manufacturers must produce to demonstrate their product with digital elements meets the essential cybersecurity requirements of the regulation.

It flows directly from Article 13, which sets out the broader obligations of manufacturers, and specifies the formal requirements for the declaration: its structure, content, language availability, and the legal responsibility it confers.

A notable practical provision addresses situations where a product falls under multiple Union legal acts, allowing a single consolidated declaration to cover all of them.

Important points:

  • Manufacturers are required to draw up an EU declaration of conformity confirming that the essential cybersecurity requirements of Annex I have been met, and by doing so, they formally assume legal responsibility for the product's compliance.
  • The declaration must follow the model structure in Annex V, be updated as appropriate, and be made available in the languages required by the Member State where the product is placed on the market.
  • The Commission has the power to adopt delegated acts to add elements to the minimum content of the declaration in Annex V to account for technological developments.

Springlex's summary of the article, a reading aid, not a substitute for the legal text.

    1. The EU declaration of conformity shall be drawn up by manufacturers in accordance with Article 13(12) and state that the fulfilment of the applicable essential cybersecurity requirements set out in Annex I has been demonstrated.

    1. The EU declaration of conformity shall have the model structure set out in Annex V and shall contain the elements specified in the relevant conformity assessment procedures set out in Annex VIII. Such a declaration shall be updated as appropriate. It shall be made available in the languages required by the Member State in which the product with digital elements is placed on the market or made available on the market.

    2. The simplified EU declaration of conformity referred to in Article 13(20) shall have the model structure set out in Annex VI. It shall be made available in the languages required by the Member State in which the product with digital elements is placed on the market or made available on the market.

    1. Where a product with digital elements is subject to more than one Union legal act requiring an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all such Union legal acts. That declaration shall contain the identification of the Union legal acts concerned, including their publication references.

    1. By drawing up the EU declaration of conformity, the manufacturer shall assume responsibility for the compliance of the product with digital elements.

    1. The Commission is empowered to adopt delegated acts in accordance with Article 61 to supplement this Regulation by adding elements to the minimum content of the EU declaration of conformity set out in Annex V to take account of technological developments.

Table of contents

We're continuously improving our platform to serve you better.

Your feedback matters! Let us know how we can improve.

Contact us:

springlex@springflod.se

Found a bug?

Springflod is a Swedish boutique consultancy firm specialising in cyber security within the financial services sector.

We offer professional services concerning information security governance, risk and compliance.

Crafted with ❤️ by Springflod